Merge branch 'main' into develop

Author: soonge2

src/main/java/com/moa/moa_server/config/security/ProdSecurityConfig.java

@@ -1,37 +1,76 @@
 package com.moa.moa_server.config.security;
 
+import lombok.RequiredArgsConstructor;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
-import org.springframework.security.config.Customizer;
+import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+
+import java.util.List;
 
 import static com.moa.moa_server.config.security.SecurityConstants.ALLOWED_URLS;
 
+@RequiredArgsConstructor
+@EnableWebSecurity
 @Configuration
 @Profile("prod")
 public class ProdSecurityConfig {
 
+    @Value("${frontend.url}")
+    private String frontendUrl;
+
+    private final JwtAuthenticationFilter jwtAuthenticationFilter;
+    private final CustomAuthenticationEntryPoint customAuthenticationEntryPoint;
+
     @Bean
-    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+    public SecurityFilterChain securityFilterChain(HttpSecurity http, CorsConfigurationSource corsConfigurationSource) throws Exception {
         http
-                .csrf(csrf -> {})
-                .cors(Customizer.withDefaults())
+                .csrf(AbstractHttpConfigurer::disable)
+                .cors(cors -> cors.configurationSource(corsConfigurationSource))
                 .httpBasic(AbstractHttpConfigurer::disable)
                 .formLogin(AbstractHttpConfigurer::disable)
+                .exceptionHandling(ex -> ex.authenticationEntryPoint(customAuthenticationEntryPoint))
                 .authorizeHttpRequests(auth -> auth
+                        .requestMatchers(HttpMethod.GET, "/api/v1/votes").permitAll()
                         .requestMatchers(ALLOWED_URLS).permitAll()
                         .anyRequest().authenticated()
-                );
+                )
+                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+                .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
 
         return http.build();
     }
 
+    /**
+     * CORS 정책을 설정하고, 이를 Spring Security에 등록하는 Bean을 반환
+     */
+    @Bean
+    public CorsConfigurationSource corsConfigurationSource() {
+        CorsConfiguration config = new CorsConfiguration();
+
+        config.setAllowedOriginPatterns(List.of(frontendUrl)); // 요청을 허용할 출처(origin) 패턴을 설정
+        config.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS")); // 허용할 HTTP 메서드 목록 지정
+        config.setAllowedHeaders(List.of("*")); // 모든 요청 헤더 허용
+        config.setAllowCredentials(true); // 인증 정보를 포함한 요청(Cookie 등)을 허용
+
+        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); // 경로 별로 다른 CORS 설정을 적용할 수 있도록 지원하는 구현체
+        source.registerCorsConfiguration("/**", config); // 모든 경로에 위에서 설정한 CORS 정책을 적용
+        return source;
+    }
+
     @Bean
     public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); }
 
-}
+}

src/main/java/com/moa/moa_server/domain/auth/service/AuthService.java

@@ -24,6 +24,7 @@ public class AuthService {
     private static final Set<String> ALLOWED_REDIRECT_URIS = Set.of(
             "http://localhost:5173/auth/callback",
             "https://b4z.moagenda.com/auth/callback",
+            "https://moagenda.com/auth/callback",
             "http://localhost:8080/api/v1/auth/login/oauth"
     );
 

src/main/resources/application-prod.yaml

@@ -1,15 +1,18 @@
 spring:
   jpa:
     hibernate:
-      ddl-auto: update
+      ddl-auto: none
 
   datasource:
     driver-class-name: com.mysql.cj.jdbc.Driver
     url: ${DB_URL}?serverTimezone=UTC&allowPublicKeyRetrieval=true&useSSL=false
     username: ${DB_USERNAME}
     password: ${DB_PASSWORD}
     hikari:
-      maximum-pool-size: 10
+      connection-timeout: 30000
+      idle-timeout: 600000
+      max-lifetime: 1800000
+      maximum-pool-size: 20
 
 kakao:
   client-id: ${KAKAO_CLIENT_ID}
@@ -20,4 +23,9 @@ frontend:
   url: ${FRONTEND_URL}
 
 ai:
-  server-url: ${AI_SERVER_URL}
+  server-url: ${AI_SERVER_URL}
+
+logging:
+  level:
+    root: INFO
+    org.springframework.web: WARN